Lucene search

[email protected]NVD:CVE-2020-8201

HistorySep 18, 2020 - 9:15 p.m.

CVE-2020-8201

2020-09-1821:15:12

CWE-444

[email protected]

web.nvd.nist.gov

node.js

http desync

http header.

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.003

Percentile

71.6%

JSON

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Affected configurations

Nvd

Node

nodejsnode.jsRange12.0.0–12.18.4lts

nodejsnode.jsRange14.0.0–14.11.0

Node

opensuseleapMatch15.2

Node

fedoraprojectfedoraMatch33

VendorProductVersionCPE
nodejsnode.js*cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
nodejsnode.js*cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
opensuseleap15.2cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
fedoraprojectfedora33cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nodejs	node.js	*	cpe:2.3:a:nodejs:node.js:::::lts:::*
nodejs	node.js	*	cpe:2.3:a:nodejs:node.js::::::::
opensuse	leap	15.2	cpe:2.3:o:opensuse:leap:15.2:::::::*
fedoraproject	fedora	33	cpe:2.3:o:fedoraproject:fedora:33:::::::*